Network forensics generally relates to the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. Network forensic systems generally utilize one of two approaches: the “catch it as you can approach” and the” stop, look, and listen approach.” “Catch it as you can” systems immediately write the packets to a disk file, buffering in memory as necessary, and perform analysis in batches. “Stop, look and listen” systems analyze the packets in memory, perform rudimentary data analysis and reduction, and write selected results to disk or to a database over the network.
However, existing network forensic tools, such as network sniffers and packet capturing tools, passively collect information about network traffic. Such tools may be able to detect and capture information associated with communication sessions, such as hostnames, ports, protocols, IP addresses, etc.; however, such tools tend to receive network events outside of a host or system. That is, a network forensic tool, such as a network sniffer, may reside at a network edge and may receive network events concerning the network from one or more hosts or systems. Accordingly, network edge devices have no ability to establish any sort of context from within the host or system that is generating the event. Therefore, devices residing at a network edge may monitor, record, and or analyze network traffic between the host and the device, but information that may be useful within the host is not obtained.
For example, FIG. 1 generally illustrates a comparative example including computing devices 104 and 108 in communication with a network edge device 116. The network edge device 116 may be commonly referred to as a “sniffer” which may monitor, capture, and analyze network traffic between the network edge device 116 and the computing devices 104 and 108. The network edge device 116 may further be in communication with a communication network 124, such as the internet. Accordingly, the network edge device 116 may monitor, capture, and analyze network traffic between the computing devices 104 and 108 and between the computing devices 104/108 and the communication network 124.
However, as previously mentioned, the network edge device 116 has no ability to monitor, capture, and/or analyze what is occurring within each of the computing device 104 and 108. In at least one comparative example, computing device 108 may contain or otherwise be infected with one or more pieces of malware. The term “malware” is used herein to refer generally to any executable computer file or, more generally “object”, that is or contains malicious code, and thus includes viruses, Trojans, worms, spyware, adware, etc. and the like. Indeed, the network edge device 116 may be able to monitor, capture, and analyze communication traffic including the information, both encrypted and unencrypted, source and destination ports, source and destination IP address, and protocols utilized by the computing device 108, but the network edge device cannot provide details regarding files modified, registry entries changed, and/or new processes that are created. Accordingly, the network edge device 116 has no way of knowing to what extent the virus may have impacted the computing device 108, what additional files may have become infected, or what processes and/or objects operating are linked to the virus. What is needed therefore, is a solution that eliminates the guesswork and allows for end-to-end visibility of every event within a system and/or within a network.